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Abstract. Abstraction is one of the most important strategies for dealing with the 
state space explosion problem in model checking. In the abstract model, although 
the state space is largely reduced, however, a counterexample found in such a 
model may not be a real counterexample. And the abstract model needs to be 

f>v^ ' further refined where an NP-hard state separation problem is often involved. In 

this paper, a novel method is presented by adding extra variables to the abstract 
model for the refinement. With this method, not only the NP-hard state separation 

Q_^ ' problem is avoided, but also a smaller refined abstract model is obtained. 

(J \ 1 Introduction 

Model checking is an important approach for the verification of hardware, software, 
^ ■ multi-agent systems, communication protocols, embedded systems and so forth. The 

Q^ I term model checking was coined by Clarke and Emerson Q, as well as Sifakis and 

^D ■ Queille [T| independently. The earlier model checking algorithms explicitly enumerated 

the reachable states of the system in order to check the correctness of a given specifica- 
tion. This restricted the capacity of model checkers to systems with a few million states. 
r^ I Since the number of states can grow exponentially in the number of variables, early im- 

plementations were only able to handle small designs and did not scale to examples with 
industrial complexity. To combat this, kinds of methods, such as abstraction, partial or- 
der reduction, OBDD, symmetry and bound technique are applied to model checking to 
reduce the state space for efficient verification. Thanks to these efforts, model checking 
has been one of the most successful verification approaches which is widely adopted in 
5— i ' the industrial community. 

Among the techniques for reducing the state space, abstraction is certainly the most 
important one. Abstraction technique preserves all the behaviors of the concrete system 
but may introduce behaviors that are not present originally. Thus, if a property (i.e. a 
temporal logic formula) is satisfied in the abstract model, it will still be satisfied in 
the concrete model. However, if a property is unsatisfiable in the abstract model, it 
may still be satisfied in the concrete model, and none of the behaviors that violate the 
property in the abstract model can be reproduced in the concrete model. In this case, 
the counterexample is said to be spurious. Thus, when a spurious counterexample is 
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found, the abstraction should be refined in order to eliminate the spurious behaviors. 
This process is repeated until either a real counterexample is found or the abstract model 
satisfies the property. 

There are many techniques for generating the initial abstraction and refining the ab- 
stract models. We follow the counterexample guided abstraction and refinement method 
proposed by Clarke, etc f5l. With this method, abstraction is performed by selecting a 
set of variables which are insensitive to the desired property to be invisible. In each iter- 
ation, a model checker is employed to check whether or not the abstract model satisfies 
the desired property. If a counterexample is reported, it is simulated with the concrete 
model by a SAT solver or checked by other algorithms. Then, if the counterexample 
is checked to be spurious, a set of invisible variables are made visible to refine the 
abstract model. With this method, to find the coarsest (or smallest) refined model is 
NP-hard [SJ. Further, it is important to find a small set of variables in order to keep the 
size of the abstract state space smaller However, to find the smallest set of variables 
is also NP-hard f9l. To combat this. Integer Linear Program (ILP) based separation 
algorithm which outputs the minimal separating set is given [5]. And a polynomial ap- 
proximation algorithm based on Decision Trees Learning (DTL) is also presented ||5]. 
Moreover, Heuristic-Guided separating algorithms are presented in fS], and evolutional 
algorithms are introduced in [9J for the state separation problem. These approximate 
algorithms are compared with experimental results. 

In this paper, we follow the abstract method used in r5"8"91 by selecting some set of 
variables to be invisible. Then we evaluate the counterexample with Algorithm Check- 
Spurious. When a failure state is achieved, instead of selecting some invisible variables 
to be visible, extra variables are added to the abstract model for the refinement. With 
this method, not only the NP-hard state separation problem is avoided, but also a smaller 
refined abstract model is obtained. 

The rest parts of the paper are organized as follows. The next section briefly presents 
the related work concerning abstraction refinement in model checking. In section 3, the 
abstraction algorithm is formalized by making insensitive variables invisible. In section 
4, by formally defining spurious counterexamples, the algorithm for checking whether 
or not a counterexample in the abstract model is spurious is presented. Further, the new 
abstraction refinement algorithm is given. Subsequently, abstraction model checking 
framework based on the new proposed algorithms is illustrated in section 5. Finally, 
conclusions are drawn in section 6. 



2 Related Work 

We focus on the Counter-Example Guided Abstraction Refinement (CEGAR) frame- 
work which was fist proposed by Kurshan [lOJ. Recently, some variations of the basic 
CEGAR were given M5I11I12I13I14I15I16I . Most of them use a model checker and try 
to get rid of spurious counterexamples to achieve a concrete counterexample or a proof 
of the desired property. 

The closest works to ours are those where the abstract models are obtained by 
making some of the variables invisible. To the best of our knowledge, this abstrac- 
tion method was first proposed by Clarke, etc. 1.5. 12J . With their approach, abstraction 



is performed by selecting a set of variables (or latches in circuits) to be invisible. In 
each iteration, a standard Ordered Binary Decision Diagram (OBDD)-based symbolic 
model checker is used to check whether or not the abstract model satisfies the desired 
property which is described by a formula in temporal logic. If a counterexample is re- 
ported by the model checker, it is simulated with the concrete system by a SAT solver. 
It tells us that the model is satisfiable if the counterexample is a real one, otherwise, the 
counterexample is a spurious one and a failure state is found which is the the last state 
in the longest prefix of the counterexample that is still satisfiable. Subsequently, the 
failure state is used to refine the abstraction by making some invisible variables visible. 
With this method, to find the smallest refined model is NP-hard [3J. To combat this, 
both optimal exponential and approximate polynomial algorithms are given. The first 
one is done by using an ILP solver which is known to be NP complete; and the second 
one is based on machine learning approaches. 

Some heuristics for refinement variables selection were first presented in ||8l. It 
studied on efifective greedy heuristic algorithms on state separation problem. Further, 
in [6J, probabilistic learning approach which utilized the sample learning technique, 
evolutionary algorithm and effective heuristics were proposed. The performances were 
illustrated by experiment results. 

3 Abstraction Function 

As usual, a Kripke structure |4| is used to model a system. Let V = {v'l, ..., v„] ranging 
over a finite domain D U {±) be the set of variables involved in a system. For any v, e V, 
1 < / < n, a set of the valuations of v, is defined by, 

r,, = {v; = £/ 1 £/ e D U {±}) 

where v,- = ± means v, is undefined. Further, the set of all the possible states of the 
system, £, is defined by, 

£ - Zv, X ... xZ",.„ 

LetAP be the set of propositions. A Kripke structure over Af is a tuple K - {S,So,R, L), 
where S QEis, the set of states (i.e. a state in 5 is a valuation of variables in V), 5o £ 5 
is the set of initial states, R Q S xS is the transition relation, L : S —^ 2'*^ is the labeling 
function. For convenience, s{v) is employed to denote the value of v at state s. A path in 
a Kripke structure is a sequence of states, 77 = si, ^2, ■•■, where ii e 5o and(s,, s,+i) €7? 
for any i > I. 

Following the idea given in ||5], we separate V into two parts Vy and Vj with V = 
Vv U Vj. Vv stands for the set of visible variables while V[ denotes the set of invisible 
variables. Invisible variables are those that we do not care about and will be ignored 
when building the abstract model. In the original model K - (S,So,R, L), all variables 
are visible (Vv = V, V7 = 0). To obtain the abstract model K - (S ,So,R,L), some 
variables, e.g. Vx £ V, are selected to be invisible (Vv = V \ Vx, Vi - Vx)- Thus, the 
set of all possible states in the abstract model will be: 

2j = Z-y, X ... X 2^Y, 



where k - \Vv\ < n, and for each 1 < / < A;, v, e Vy- That is S QE. For a state s e S and 
a state i e 5 , we say s is the projection of s in the abstract model by making Vy visible, 
denoted by h{s, Vy), iff s{\') - s{v) for any v e Vy- Inversely, s is called the origin of s, 
and the set of origins of s is denoted by h^is, Vy). 

Therefore, given the original model K - (S,So,R,L) and the the selected visible 
variables Vy, the abstract model K = (S ,So,R,L) can be obtained by Algorithm Ab- 
stract as shown below. 



Algorithm 1 : Abstract(A', Vy) 



Input: the original model K = (S,So,R,L) and a set of selected visible variables Vv 
Output: the abstract model K=(S ,S o,R,L) 
1: 5 = (5 6 2" I there exists s e S such that h(s, Vy) = s]; 
2: 5o = |.? e 5 I there exists s e Sq such that h(s, Vv) = s]; 
3: R = {(si,S2) I si,S2 s 5, and there exist ii, i2 £ S suchlhath(si,Vv) 
S2 and 
{suS2)eR]- 

4: Us) = u u^y, 

seS,;i(s,Vv)=i 

5: returnl = (5,5'o,^,L); 



si,h(s2,Vv) 



Example 1 As illustrated in Figur^U the original model is a Kripke structure with four 
states. Initially, the system has four variables vi, V2, V3 and V4. Assume that V3 and V4 
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Fig. 1. Abstraction 
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are selected to be invisible. By Algorithm Abstract, an abstract model with two states 
is obtained. In the abstract model, ,fi is the projection of s\ and 52, while S2 is the 
projection of ,53 and 34. {s\, S2) € R since (^2, ^3) e R, and {si, s\), (s2, ^2) e R because 
of (51,52), (^3,^4) e ^- □ 



4 Refinement 

4.1 Why Refining? 

It can be observed that the state space is largely reduced in the abstract model. However, 
when implementing model checking with the abstract model, some reported counterex- 
amples wiU not be real counterexamples that violate the desired property, since the 
abstract model contains more paths than the original model. This is further illustrated 
in the traffic lights controller example given below. The example was first presented in 

m. 

Example 2 For the traffic light controller in Figure |2] we want to prove aOistate - 
stop) (any time, the state of the light will be stop sometimes in the future). By im- 
plementing model checking with the abstract model in the right hand side of Figure 
|2]where the variable color is made invisible, a counterexample, si, S2, s^, s^, ... will be 



Original model 



color = red 
state = stop 

color = yellow 
state = go 

color = green 
state = go 




Abstract model 

state = stop 



stale = go 




V = {color, state} 
Vv = {state} 
Vi = {color} 



Fig. 2. Traffic Light ControUer 



reported. However, in the concrete model, such a behavior cannot be found. So, this is 
not a real counterexample. □ 

4.2 Spurious Counterexamples 

As pointed in Ii5i6j . a counterexample in the abstract model which does not exist in 
the concrete model is called a spurious counterexample. To formally define a spurious 
counterexample, we first introduce failure states. To this end, /n9 , Ini, ..., In" and /Wj- 
are defined first: 

/«'] = {i I i e h'isi, Vv), s' € h'(sp-i,Vv) and 

(s', s) e R] 
In\ ^ {s\se h-(si, Vv), s' € M and (s', s) € R} 

In'l ^ {s\se h-(si, Vv), s' e In"-^ and (s' , s) € R} 



Ins, = U In'. 



Clearly, /n° denotes the set of states in /i (i,-, Vv) with inputting edges from the states 
in h^{si'-\, Vv), and In\ stands for the set of states in h^{si, Vv) with inputting edges 
from the states in Irfl, and /n? means the set of states in h^{si, Vv) with inputting edges 
from the states in In\, and so on. Thus, /n,, denotes the set of states in h^{si, Vy) that 
are reachable from some state in h^{sii\, Vv) as illustrated in the lower gray part in 

n+l _ n 

Figure|3] Note that there must exist a natural number n, such that IJ In\ 
hr{si, Vv) is finite. Similarly, Oufi., Outi 



U /«'. since 

/={) "' (=0 

Out" and Outi can also be defined. 




Fig. 3. Irtg. and Outs. 



Out'l = {s \ s e h (si, Vv), s' e h (sHuVy) and 

(s,s')eR] 
Outl = {s I s e h-isi, Vv), s' e Out", and (s, s') e R] 



Out". 



{s\se hrisi, Vy), s' e Ouf-^ and {s, s') e R) 



Outs. = U Out'. 



Where Out", denotes the set of states in h^{si, Vv) with outputting edges to the states 
in h^{si+\, Vv), and Out\ stands for the set of states in h^{sj, Vv) with outputting edges 
to the states in Out", and Out\ means the set of states in h^{si, Vy) with outputting 
edges to the states in Out\, and so on. Thus, Out^^ denotes the set of states in h^isi, Vy) 
from which some state in h^{si+i, Vy) are reachable as depicted in the higher gray part 



in Figure [3] Similar to Irtg., there must exist a natural number n, such that IJ Out'~ = 

/=o *' 

n 

U Out'. . Accordingly, a failure state can be defined as follows. 

Definition 1 (Failure States) A state Sj in a counterexample /7 is a failure state if 
/«.f, ^ 0, Outs, + and Ins, n OMf.?, =0. D 

Further, given a failure state s\ in a counterexample 77, the set of the origins of s,-, 
hr{si, Vy), is separated into three sets, T) - Ins, (the set of dead states), S - Outs, (the 
set of bad states) and I - h^isf) \ (£) U S) (the set of the isolated states). Note that by 
the definition of failure state, !D and S cannot be empty sets, while I may be empty. 

Definition 2 (Spurious Counterexamples) A counterexample 77 in an abstract model 
K is spurious if there exists at least one failure state Si in 77 n 

Example 3 Figure |4] shows a spurious counterexample where the state 3 is a failure 
state. In the set, h'^O, Vy) = {7, 8, 9}, of the origins of state 3, 9 is a deadend state, 7 is 
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Fig. 4. A Spurious Path 



a bad state, and 8 is an isolated state. □ 

In O, Algorithm SplitPath is presented for checking whether or not a counterex- 
ample is spurious. And in |5|, a SAT solver is used to check the counterexample. We 
also present Algorithm CheckSpurious for checking whether or not a counterexample is 
spurious based on the formal definition of spurious paths. The algorithm takes a coun- 
terexample as input and outputs the first failure state as well as D, S and I with respect 
to the failure state. Note that a counterexample may be a finite path < si, S2, ■■■, s„ >, 
n > 1, or an infinite path < si, S2, ...,(ii, ..., Sj)'^ >, I < i < j, with a loop suffix (a suffix 
produced by a loop). For the finite counterexample, it will be checked directly while for 
an infinite one, we need only check its finite prefix such as < su^i, ■■■, ■s;, ■■■, Sj, si >. 

Compared with Algorithm SplitPath, to check whether or not a state ii is a fail- 
ure state, it only relies on its pre and post states, sp-i and sf+i; while in Algorithm 
CheckSpurious, to check state .f,, it relies on all states in the prefix, si, ..., .s,^i, of Sj. 
Based on this, to check a periodic infinite counterexample, several repetitions of the pe- 
riodic parts are needed. In contrast, this can be easily done by checking the finite prefix 
< Si, S2, ■-., Si, ..., Sj, Si > by Algorithm CheckSpurious. 



Algorithm 2 : CheckSpurious(/7) 



Input: a counterexample 77 =< si,S2,...,s„ > in the abstract model K = (S ,So,R,L), and the 
original model K = (S,So,R,L) 



Output: a failure state Sf, O, S and I 
1: 

2: 
3: 
4: 
5: 



Initialization: int i = 2; 
while / < « - 1 do 

if 7«s- n Out Si i^ %, i = i + I; 

else return Sf = j„ D = Ins,, S = Outg., and I = h'(si) \(SU O); break; 
end while 



if i = n, return 77 is a real counterexample; 



4.3 Refining Algorithm 

When a failure state and the corresponding D, S and I are reported by Algorithm 
CheckSpurious, we need further refine the abstract model such that D and S are sep- 
arated into different abstract states. This can be achieved by making a set of invisible 
variables, U c Vj, visible |5|. With this method, to find the coarsest refined model is 
NP-hard. Further, to keep the size of the refined abstract state space smaller, it is impor- 
tant to make U as small as possible. However, to find the smallest U is also NP-hard ||6l. 
In ||5l, an ILP solver is used to obtain the minimal set. However, it is inefficient when 
the problem size is large, since IPL is an NPC problem. To combat this, several approx- 
imate polynomial algorithms are proposed II5I8I9I with non-optimal results. Moreover, 
even though a coarser refined abstract model may be produced by making U smaller, it 
is uncertain that the smallest U will induce the coarsest refined abstract model. Moti- 
vated by this, a new refinement approach is proposed by adding extra boolean variables 
to the set of visible variables. With this approach, not only the NP-hard problem can be 
avoided but also a coarser refined abstract model can be obtained. The basic idea for the 
refining algorithm is described below. 

Assume that a failure state is found with D = {^i, S2], S = {54) and I - {s^, 55} 
as illustrated in Figure |5] where the abstract model is obtained by making Vvi and Vv2 
visible and other variables invisible. To make D and S separated into two abstract 
states, an extra boolean variable B is added to the system with the valuation being 
at the states in D, 1 at the state in S, and ± at the states in I and other states. That 
is si(B) = 0, S2iB) = 0, 54(B) = 1, and Si(B) = ± where i, E 5 and / ?i 1, 2, or 4. 
Subsequently, by making V^ = Vy U [B] and Vj - V/, the failure state is separated into 
three states in the refined abstract model as illustrated in Figure |6] Note that, only the 
failure state is separated into three states, and other states are the same as in the abstract 
model. Especially, when I - %, the failure state is separated into two new states. 

Therefore, given a failure state s/ (as well as D, S and J) in the abstract model 
K - {S,Sq,R,L) where S Q Z - Ey^ x ... x 2",,,, and Vy - {v\, ..., v«}, to obtain the 
abstract model K - (S ,So,R,L), a boolean variable B is added as a visible variable 
with s(B) = if i e £), s(B) ^ I if s e S, and s(B) ^ ±ifsi(DuS). Thus, the set of 
all possible states in the refined abstract model will be: 

X - Z xZb 
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Fig. 5. A Failure State 
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Fig. 6. Refined Abstract States 



where Zg - {B - d \ d e [0, 1,±)). Accordingly, the refined abstract model K 
(S ,So, R, L) can be obtained by Algorithm Refine. 



Algorithm 3 : Refine(^, D, S, J, B) 

Input: the abstract model K = (S,So,R,L) with Vv being visible; O, S and I reported by 
Algorithm CheckSpurious; the new boolean variable B which will be added 
Output: the refined model K = {S ,So,R,L) 

1: s(B) = if .s € S; s(B) = I if s e D; s{B) = ±ifsiDuS; 

2: 5 = {.? 6 Z I there exists 5 6 5 such that h(s, Vv U B) = s]; 

3: 5o = { J e 5 I there exists s e So such that h{s, Vy U B) = s}; 

4: R = {(si , £2) \ si,S2 e S , and there exist si,S2 & S such that h(si , VyUB) = si , h{s2, VvUS) = 
S2 and (si, S2) € R}; 

5: L(s) = U U^y, 

seSMs.VvUB)=s 

6: return A' = (S,S'o,^, I); 



It can be observed that, the new refinement algorithm is linear to the size of the state 
space, since it only needs to assign to the new added boolean variable at each state. 
Further, in each iteration, at most two more states are added (only one node is added 
when I is empty). With the algorithm by choosing some invisible variable visible, when 
!D and S are separated, other nodes (usually a huge number in the real systems in 
practise) will also be separated. To illustrate the intrinsic property of the new refining 
algorithm, a simple example is given below. 

Example 4 The Kripke structure illustrated in l.h.s of Figure|7](l) presents an original 
model where three variables xi, X2 and xj, are involved. Assume that X2 and X3 are 
insensitive to the property which is expressed in a temporal logic formula. Thus, by 
making X2 and xj, invisible, the abstract model can be obtained by Algorithm Abstract 
as illustrated in the r.h.s of Figure |7](1). 

Suppose that a counterexample is found by a model checker as depicted in Figure 
|2](2). Then, by Algorithm CheckSpurious, it will report that ^2 is a failure state, and 
D - {S3], S - {S4]. First, we show the refined abstract models by the method in the 
related works M5I12I8I9I . The refined abstract model obtained by making X2 and X3 
visible are illustrated in Figure [8] (1) and (2) respectively. It can be observed that the 
one by making x^ visible is the smallest refined model under the method by making 
some invisible variables visible. Clearly, to find the coarsest refined model, in this way, 
is an NP-hard problem. 

By our method, as depicted in Figure |9] a new boolean variable B is added to the 
system and made visible. Then the refined abstract model is obtained where only the 
failure state is separated into two states with other states unchanged. Clearly, the new 
refining algorithm avoids the NP-hard problem for finding the smallest set of visible 
variables. Moreover, the new refined abstract model is smaller than the best result pro- 
duced in the method by further making some invisible variables visible. n 

Clearly, the refined model obtained by Algorithm Refine is not the smallest one. 
And the smallest refined abstract model can be easily obtained by assigning the new 
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Fig. 8. Refinement by the old algorithm 
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Fig. 9. Refinement by the new algorithm 



added variable B by or 1 at the states in I, i.e. the failure state is separated into 
IDU I and S, or D and SU I. This is intuitively presented in Figure [TO] Compared to 
Algorithm Refine, only one state is saved in the refinement. However, more iterations 
will be introduced into the abstract model checking since D U J or S U J may be found 
as a failure state further. 




Fig. 10. Smallest refinement 



5 Abstract Model Checking Framework 



With the new proposed algorithms, the abstract model checking framework is presented. 
First, the abstract model is obtained by Algorithm Abstract. Then a model checker is 
employed to check whether or not the abstract model satisfies the desired property. If 
no errors are found, the model is correct. However, if a counterexample is reported, 
it is checked by Algorithms CheckSpurious. If the counterexample is not spurious, it 



Algorithm 4 : AbstractMC 



Input: A model A" = (5, 5o,^, ^) in Kripke structure, and a desired property ip in temporal logic 
Output: a counterexample that violates (p 



Initialization: int ; = 1; 

k =Abstract(A:, V;); 

MC(1,<^); 

while a counterexample 77 is found do 

CHECKSPURI0US(i7); 

if 77 is a real counterexample, return 77; break; 

else k =Refine(^, D, S, I, Bi)\i = i+\; MC{k, (p); 
end while 
if no counterexample is found, K satisfies <p. 



will be a real counterexample that violates the system; otherwise, the counterexample 
is spurious, and Algorithm Refine is used to refine the abstract model by adding a new 
visible boolean variable B to the system. Then the refined abstract model is checked 
with the model checker again until either a real counterexample is found or the model 
is checked to be correct. This process is formally described in Algorithm AbstractMC 
where a subscript / is used to identify different boolean variables that are added to the 
system in each refinement process. Initially, / is assigned by 1. After each iteration of 
Algorithm Refine, / is increased by 1 . Basically, finitely many boolean variables will be 
added since the systems to be verified with model checking are finite systems. 



6 Conclusion 

An eflicient method for abstraction refinement is given in this paper. With this approach, 
the NP-hard state separation problem can be avoided, and the smaller refined abstract 
model can also be obtained. This can improve the abstract based model checking, es- 
pecially the counterexample guided abstraction refinement model checking. In the near 
future, the proposed algorithm will be implemented and integrated into the tool CE- 
GAR. Further, some case studies will be conducted to evaluate the algorithm. 
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